weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
5a17c58c03
cert-manager/deploy/chart/webhook/templates/ca-sync.yaml
James Munnelly 5a17c58c03 Rearrange Helm charts into deploy/ and test/e2e/charts directories 
Signed-off-by: James Munnelly <james@munnelly.eu>
2018-12-04 16:19:49 +00:00

173 lines
5.1 KiB
YAML
Raw Blame History

## This file contains a CronJob that runs every 24h to automatically update the
## caBundle set on the APIService and ValidatingWebhookConfiguration resource.
## This allows us to store the CA bundle in a Secret resource which is
## generated by cert-manager's 'selfsigned' Issuer.
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: {{ include "webhook.fullname" . }}-ca-sync
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
schedule: "* * */24 * *"
jobTemplate:
spec:
template:
metadata:
labels:
app: ca-helper
spec:
serviceAccountName: {{ include "webhook.fullname" . }}-ca-sync
restartPolicy: OnFailure
containers:
- name: ca-helper
image: {{ .Values.caSyncImage.repository }}:{{ .Values.caSyncImage.tag }}
imagePullPolicy: {{ .Values.caSyncImage.pullPolicy }}
args:
- -config=/config/config
volumeMounts:
- name: config
mountPath: /config
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 128Mi
volumes:
- name: config
configMap:
name: {{ include "webhook.fullname" . }}-ca-sync
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "webhook.fullname" . }}-ca-sync
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
template:
metadata:
labels:
app: ca-helper
spec:
serviceAccountName: {{ include "webhook.fullname" . }}-ca-sync
restartPolicy: OnFailure
containers:
- name: ca-helper
image: {{ .Values.caSyncImage.repository }}:{{ .Values.caSyncImage.tag }}
imagePullPolicy: {{ .Values.caSyncImage.pullPolicy }}
args:
- -config=/config/config
volumeMounts:
- name: config
mountPath: /config
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 128Mi
volumes:
- name: config
configMap:
name: {{ include "webhook.fullname" . }}-ca-sync
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "webhook.fullname" . }}-ca-sync
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
config: |-
{
"apiServices": [
{
"name": "v1beta1.admission.certmanager.k8s.io",
"secret": {
"name": "{{ include "webhook.rootCACertificate" . }}",
"namespace": "{{ .Release.Namespace }}",
"key": "tls.crt"
}
}
],
"validatingWebhookConfigurations": [
{
"name": "{{ include "webhook.fullname" . }}",
"file": {
"path": "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
}
}
]
}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "webhook.fullname" . }}-ca-sync
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: {{ include "webhook.fullname" . }}-ca-sync
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames:
- {{ include "webhook.rootCACertificate" . }}
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "update"]
resourceNames:
- {{ include "webhook.fullname" . }}
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "update"]
resourceNames:
- v1beta1.admission.certmanager.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: {{ include "webhook.fullname" . }}-ca-sync
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "webhook.fullname" . }}-ca-sync
subjects:
- name: {{ include "webhook.fullname" . }}-ca-sync
namespace: {{ .Release.Namespace }}
kind: ServiceAccount
Reference in New Issue View Git Blame Copy Permalink